A Digital Red Cross

The International Committee of the Red Cross wants some digital equivalent to the iconic red cross, to alert would-be hackers that they are accessing a medical network.

The emblem wouldn’t provide technical cybersecurity protection to hospitals, Red Cross infrastructure or other medical providers, but it would signal to hackers that a cyberattack on those protected networks during an armed conflict would violate international humanitarian law, experts say, Tilman Rodenhäuser, a legal adviser to the International Committee of the Red Cross, said at a panel discussion hosted by the organization on Thursday.

I can think of all sorts of problems with this idea and many reasons why it won’t work, but those also apply to the physical red cross on buildings, vehicles, and people’s clothing. So let’s try it.

EDITED TO ADD: Original reference.

Posted on November 14, 2022 at 6:38 AM23 Comments

Comments

Michael P November 14, 2022 8:24 AM

Attribution and jurisdiction seem much more problematic for cybercrime than for traditional physical attacks. Even assuming a victim (or law enforcement) can definitely say that a ransomware attack originated in Elbonia, which is uncertain, what’s the recourse? Extraordinary rendition? Sanctions against the Elbonian government?

tfb November 14, 2022 8:54 AM

This sounds to me like a good idea. More generally there ought to be the equivalent of the Geneva conventions for what is and is not a legitimate attack on computing systems during wars. Obviously not everyone will follow such conventions, but that does not mean they wouldn’t have value. Not following them should be a war crime.

Clive Robinson November 14, 2022 9:33 AM

@ Bruce, ALL,

“I can think of all sorts of problems with this idea and many reasons why it won’t work”

The primary reason it won’t work is that of lack of visceral shaming.

The Red Cross works because eventually the bodies get found and the evidence published in a news paper causes those who committed the acts to not just loose credability but an adverse reputation in the world.

It’s why the likes of Journalists are attacked by even Western Governments and portraid as spys or criminals. Worse much that should not be kept secret is and this becomes an even bigger boil to lance.

But there is another issue that needs to be considered,

“When is a medical network not a medical network?”

Take for instance what is probably the worlds largest spying organisation Palantir.

The UK Government amongst others think it’s fine to give them all the UK Citizens and others who have received medical treatment intimate medical records to Palantir.

Should Palantir be alowed the use of the Cyber-Red-Cross to hide all their activities behind?

I would hope not, but I’m fairly certain that “False Flaging” will become a major use of the Cyber-Red-Cross. So we need realy intrusive “oversight” with hard and easily enforcable penalties for misuse.

So with those considerations given real thought to we come to the,

“So let’s try it.”

The question though is,

“How?”

One of the fitst lessons you get about “Abstract Data Types”(ADTs)

1, No bag of bits is unique.

The second is,

2, A bag of bits has no unique meaning, or any meaning without meta-data.

So the question of,

“How do we make the flag?”

Needs answering before we come to the even harder question of,

“How do we fly the flag so all can not fail to see it?”

There are several more questions but those two alone will keep a committee occupied for quite some time to come.

Hans November 14, 2022 10:08 AM

@Mexaly
“Evil Bit”

Not really the same. The proposal clearly states that this is not supposed to grant protection on a technical level. Only a legal one by making attacking marked sites a war crime.
Similar as some red paint does not protect against any kind of military weapons.

Sure, as others have said there are still a couple of issues to be solved before it can be enacted.

Quantry November 14, 2022 10:56 AM

Looks like they have one, create an NFT and sell it back to them.
‘https://www.redcross.org/etc/designs/redcross/shared/favicon.ico

But like the “banner of peace” dots flying at your gate
‘https://www.svgrepo.com/show/62485/peace-flag-center-of-three-dots.svg

or the “robots.txt” for a website, or waving a white flag…

compliance is optional in the minds of vultures without a conscience, and thats the “business model of the internet”.

Frank B. November 14, 2022 11:30 AM

Sociopaths don’t care. Pharmacies in North America put signs up out front telling would be burglars and junkies that there are no narcotics stored in their business overnight and they still get broken into.

wiredog November 14, 2022 11:56 AM

This would apply during an armed conflict. One of the ways of dealing with false flagging in Real World armed conflicts is that, once you do that, everything you’ve marked becomes a legitimate target. Transport ammo in a red cross marked ambulance. Well, now your Red Cross marked hospitals are just going to be assumed to be ammo dumps. Of course, falsely flagging is a war crime.

Every few years someone has to learn this the hard way.

iAPX November 14, 2022 11:58 AM

What is an “hospital”, and who will decide what is an “hospital” or not?!?

Not kidding, I took a look at the definition of “hospital”.

an institution providing medical and surgical treatment and nursing care for sick or injured people.

For example an establishment that provides care and nursing without surgical treatment is NOT an hospital.
An establishment providing surgical treatment but not nursing is NOT an hospital.
A care facility without nursing and surgical treatment is NOT an hospital.

I have another definition of what is an hospital: for me any place where people wether civilian or military receive care, nursing OR surgical treatment.

And there is another point with war time, as the USA is ALWAYS in war against some other countries. ALWAYS.

Stéphane Bortzmeyer November 14, 2022 11:59 AM

@Frank B. As always in security, if you wait for the perfect solution, you’ll go nowhere. Nobody claimed that the physical red cross is perfect (russian planes in Syria used them to target their strikes deliberately to hospitals) but it allows to clearly delineate the really bad guys from the ordinary enemies, and may be to prosecute them later. The digital red cross will have the same strengths and weaknesses.

Meta Hirabayashi November 14, 2022 2:21 PM

One obvious problem is enforcement: you can shame and punish people who exploit false flags, treating them as a war crime because that is the consequence of their actions discrediting the red flag; this works because no one accidentally paints a red cross flag on their munitions supply truck. But with computers… accidentally copying things is just Tuesday and every other day ending in ‘-day’. It gets embedded in a library, or becomes an optional header stamped on a packet, gets a popular StackOverflow answer, and boom, a year later, half the Internet is now claiming to be Red Cross and it can no more be fixed than all the other Internet of Thing security issues. Are you going to prosecute a meaningful fraction of the global population for war crimes for buying the wrong Bluetooth radio gadget for their home?

Clive Robinson November 14, 2022 2:39 PM

@ Wiredog, ALL,

Re : There is no retaliation in asymetric warfare.

Cyber attackers come in two versions, those who are “under flag” and those who are not.

If your attacker is “not under flag” then you are almost certainly part of some form of asymetric warfare.

Which makes,

“One of the ways of dealing with false flagging in Real World armed conflicts is that, once you do that, everything you’ve marked becomes a legitimate target.”

Becomes interesting when all the targets have PoW’s, women, children and other civilians and similar in them.

Since before Roman times more than two millennia ago the use of civilians as what we now call “Human Shields” was used as was the ransoming of what we now call PoW’s.

The simple fact is “false flag” works in more ways than one, and making taged targets “legitimate targets” is not a sensible thing to do. Unless of course you want press sensitive “collateral damage” corpses stacked up like cord-wood to be seen by the world.

It’s a game that can be won by kinetic or other military force. Which begs the question,

“Is the cyber domain sufficiently different?”

That is can cyber-attacks not cause bad publicity… My view on the matter is it is not wise to try due to the “Army of One Principle” and “non-locality of action”.

Clive Robinson November 14, 2022 3:32 PM

Opps,

In my above the word “not” has been left out of,

“It’s a game that can be won by kinetic or other military force.”

After “It’s”.

Jonathon November 14, 2022 6:47 PM

@Frank B.

Sociopaths don’t care.

It might be worse than that. A hospital deals with a lot of money, has a full-time information technology staff, and will be very motivated to get things working quickly—they’re gonna be in the news every single day till they do. I’d imagine it’s easier to, for example, get ransomware onto a convenience store’s network… at which point the attacker may find out they don’t have much money, the owner’s “tech manager” cousin has never heard of Bitcoin, and none of the data is particularly valuable anyway. Really, from a sociopathic point of view, a hospital’s kind of an ideal target, about as good as a bank.

@Stéphane, I don’t think it’s true that this will have “the same strengths and weaknesses” as the physical red cross. As Michael pointed out, attribution is likely to be much harder, and I think it’s significant enough to treat this as an entirely different thing. There are quite a limited number of people/groups with access to rocket launchers, for example, so when a rocket hits a hospital you’ve got some idea about the suspects (plus, it leaves physical evidence, you can go “shake down” the known arms dealers, etc.). When it comes to hospital malware attacks, everyone with a computer is a suspect.

Maybe the Russia military are attacking Ukrainian hospital networks, maybe private Russian citizens are, maybe it’s “the usual suspects” we all see in our logs every day from everywhere—probably relaying via highjacked internet connections. Article 8 of the Rome Statute only gives the ICC jurisdiction for crimes that are “part of a plan or policy or as part of a large-scale commission of such crimes”, and unless an attacker “signs their work” (and not with a “false flag”) or we get some whistleblowers, how would we make that claim? Still, there are always some soldiers that will defect, who might say that everyone involved saw the “red cross” symbol and went ahead anyway. So it’s not pointless.

lurker November 14, 2022 7:14 PM

@Quantry, All, “compliance is optional”

as we have already seen with red crosses painted on the roof of munitions warehouses causing bombs to fall on all red crossed roofs.

Or as my old sergeant said, think about how 4 square inches of linen (the medics’ armband) on your arm will stop a bullet.

Gert-Jan November 15, 2022 6:43 AM

The digital red cross will have the same strengths and weaknesses.

Apart from the attribution difficulty, if I drive around with a car with a red cross painted on it, then all observers basically see the same image.

Not so in cyberspace. In cyberspace, a website might show the digital flag for IP address A for user-agent FireFox between 4 and 5 AM on odd days in the first 10 requests. In other words, sending or seeing the digital flag can easily be manipulated and disputed.

SpaceLifeForm November 15, 2022 9:58 PM

@ Clive, ALL

I believe the WSJ headline is misdirection.

I believe what RedCross is looking at is a digital signature that recipients can verify. Not a visual flag issue.

RedCross does send SMS messages out.

They want the recipient to be able to verify that it really came from RedCross and it was not spam disinformation or misinformation.

So, the trick will be to concatenate a short message and a Signature into a bag-of-bits that remains exactly 140 bytes of 7-bit ASCII characters.

Not simple. I will ponder on this some more. But, 140 bytes of 7-bit ASCII is a difficult constraint and still have any kind of sound Signature. Jumping across multiple 140 byte blocks gets problematic.

Obviously, I realize that this can be attacked from various angles, in a soft manner.

But, something is better than nothing.

The life of the recipient may be at stake.

Clive Robinson November 16, 2022 5:10 AM

@ SpaceLifeForm, ALL,

Re : SMS and the text within.

“So, the trick will be to concatenate a short message and a Signature into a bag-of-bits that remains exactly 140 bytes of 7-bit ASCII characters.”

Err it’s not just a “bag-of-bits” of 140 x 7bits of ASCII… It’s actually highly structured and uses “in-band-signalling”. Whilst most don’t know it, it does differentiate between an all upper case char message and mixed case / lower case messages, so it can send 160 upper case chars. But you get one char wrong and the whole message gets re-encoded in UCS-2 thus you only get 70 chars in a message…

Originally called “GSM 03.38 7-bit alphabet” or just GSM 03.38 which is still used as a short hand title, it has long since been upgraded as,

“The 3rd Generation Partnership Project Technical Standard 23.038” or “3GPP TS 23.038”

https://en.m.wikipedia.org/wiki/GSM_03.38

Which does contain an 8bit binary format, which would be the correct content delivery format to use, –but as is still occasionaly said in the UK[1]– “Few have a Coco” about. Because the format is shall we say “a tads,complicated” which is why most would just reach for the unholiest of unholies a “serialization library”…

As those once happy JavaScript with JSON users are now slowly understanding serialization is not something you should overload to your “hearts content” or “hide behind a library”… Like JavaScript[2] serialization is a major security vulnerability almost all the time, especially as it is with anything you try to “kitchen sink”. Because even when you know what you are doing, all to often the library writers don’t, nor do those that write “sample code” for the library that then gets so much “cut-n-past programing” to meet deadlines and the like. And even when the library coders do understand there are way way to many corner and edge cases you have to trap and squash for a “general library” of high level code functions to be able to handle safely. And that’s before you start talking about using it across communications in an environment you do not 100% control, especially in an assumed to be hostile environment.

It does not take long to realise that this “Digital Flag” idea will turn into a “Certificate Authority”(CA) with all the problems that brings. That’s before we talk about hostile environments and uncontrolled communications with the difficulties of attribution etc thrown into the mix.

[1] The expression “Few have a Coco” is derived from the sarcastic phrase “I should coco” meaning in effect “no way” or “that’s dumb” implying a specific third party “does not have a clue”, the derived “Few have…” is a derogatory comment on a more generalized population or subset of “the great unwashed” or “hoi polloi” or less politely “plebs”.

[2] After two decades or more of trying to clean things up the primary designer of JSON Douglas Crockford is saying we are well over due on ditching the junk and starting out again,

https://devclass.com/2022/08/04/retire_javascript_says-json-creator-douglas-crockford/

Denton Scratch November 16, 2022 6:29 AM

So, the trick will be to concatenate a short message and a Signature into a bag-of-bits that remains exactly 140 bytes of 7-bit ASCII characters.

I’m not sure what the point of a signed SMS message is, if standard SMS apps have no mechanism for creating or verifying the signature.

Some armies (thinks: WWII Japanese Imperial Army) would single out medics, because they knew that other soldiers would endanger themselves to protect them. If the flag doesn’t actually confer real protection, then displaying it is legalistic, relying on the hope of some future warcrimes prosecution for its effect. But warcrimes prosecutions are quite rare, only the losing side is ever prosecuted, and some nations seem to be immune.

Aid convoys are routinely robbed by military units. Medical supplies are not distinct from military supplies; soldiers need medicines at least as much as civilians do. An army without medical supplies is an army that isn’t fit to fight. So in purely pragmatic terms, aid convoys are a legitimate target. Only “international law” makes them illegitimate.

But international law isn’t the same as some imputed universal law; it’s created by international treaties, to which not all nations are signed up. And when nations fight wars over international boundaries, they are already violating international law; that’s what creates those boundaries. Essentially, international wars are illegal already, so expecting people to obey international law in the conduct of a war that is already illegal is a forlorn hope.

Winter November 16, 2022 7:18 AM

@Denton Scratch

I’m not sure what the point of a signed SMS message is, if standard SMS apps have no mechanism for creating or verifying the signature.

You can use the web browser infrastructuur.

If the signature has a mime type attached, it can resolve to a website which can check the signature using a HTTPS connection. A simple link with code could do that, allowing the recipient to check the server and signature.

SpaceLifeForm November 16, 2022 7:14 PM

@ Winter

website which can check the signature using a HTTPS connection.

Good to see you are thinking outside the box.

You are reading my mind. Thank you.

Keep thinking on this, and think hinky.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.